There are many ways to secure config files. In this article, you will see one of the approaches to securing the config files. If confidential information or data of the application is kept in the config file (like connection string, SMTP server configuration details and error logger information etc.) then we need to secure it.
See the below screenshots (1, 2, 3), about how a hacker can steal the confidential information from config file.
Steps to secure config file
Step 1: Keep only framework related settings in application’s config file
Keep only framework related settings in your web.config / app.config file and remove all confidential information from web.config / app.config file.
Step 2: Create new config file and keep all the confidential information or data
Create one new web.config / app.config file and place all your confidential information in the required sections.
Step 3: Place newly created config file in your hard disk or in any secured server
Place the newly created web.config / app.config file in your hard disk or any secured server
(Let say you have placed your config file in your hard disk D:/).
Step 4: Read the config file
Read the required web.config / app.config section from the physical drive or from the secured server.
Below is the sample code snippet to read the required config sections from the config file.
- using System;
- using System.Collections.Generic;
- using System.Linq;
- using System.Web;
- using System.Web.UI;
- using System.Web.UI.WebControls;
- using System.Configuration;
- using System.Web.Configuration;
- using System.Net.Configuration;
-
- namespace SecurityMisConfigurationWebApp
- {
- public partial class _Default : Page
- {
- protected void Page_Load(object sender, EventArgs e)
- {
- var filePath = @"D:\Web.config";
-
-
- var map = new ExeConfigurationFileMap { ExeConfigFilename = filePath };
- var configFile = ConfigurationManager.OpenMappedExeConfiguration(map, ConfigurationUserLevel.None);
- AppSettingsSection appSettings = (AppSettingsSection)configFile.GetSection("appSettings");
- string _gxxxxURL = appSettings.Settings["GxxxxURL"].Value;
- string _SMTPHost = appSettings.Settings["SMTPHost"].Value;
-
-
- ConnectionStringsSection connectionStrings = (ConnectionStringsSection)configFile.GetSection("connectionStrings");
- string _aaaConnectionString = connectionStrings.ConnectionStrings["aaaConnectionString"].ToString();
-
-
- MailSettingsSectionGroup _mailInfo = configFile.GetSectionGroup("system.net/mailSettings") as MailSettingsSectionGroup;
- }
- }
- }
Output